By CIOinsight

Security 2002: Rethinking Risk




What have American businesses done since last September to improve their ability to deal with terrorism or other disasters? Judging from our survey of 337 executives on the aftermath of the Sept. 11 terrorist attacks, they have done a great deal. While spending on business continuity hasn't consistently increased, new companywide procedures have been put in place. After a year of planning in response to the threat of terrorism, the executives generally are well-prepared: A substantial majority is firm in the belief that their companies can continue critical business operations even after a catastrophic attack.

Many companies were affected by Sept. 11 in some way, and it has left them far more concerned about preparing for disasters—46% of respondents still retain a strong sense of urgency, only a small drop from immediately after the attacks. While most IT execs still feel their companies' business continuity plans could be inadequate in the case of the most extreme possibilities, such as nuclear attacks or bioterrorism, most feel capable of handling cyberterrorism and other IT security breaches.

Companies have responded to Sept. 11 by reassessing their risk, drawing both IT and business executives into contingency planning and enforcing security procedures. Many firms have also taken steps to minimize risks by relocating, dispersing or distributing parts of their IT infrastructure, such as servers and storage. But these precautions usually do not include increased spending on business continuity—in fact, a substantial percentage of the companies hardest hit by Sept. 11 have actually decreased spending.



A majority of the executives we surveyed are confident in their ability to continue critical business operations in the face of a malicious disaster, and perhaps they are justified: Many have tightened security procedures, decentralized computing and storage architectures, and even relocated data centers. The security experts we spoke with about the survey results, however, were not as sanguine, and they warned that many companies are likely still vulnerable.

Ian Mitroff, a crisis management specialist and business professor at the University of Southern California, says uncertainty has to be part of any plan. All too often, he says, companies rely on risk analysis, cost-benefit analysis and simplistic simulations, which don't factor in the unexpected. "The first characteristic of any major crisis is uncertainty," he says. "I left engineering because we were producing a lot of certainty junkies accustomed to solving textbook problems where you know everything. In the real world, the problem changes dynamically over time. You have to cope with extreme uncertainty. Al Qaeda is uncertain. September 11 shows the faultiness of risk analysis. You have to prepare for at least one act of terrorism."

MacDonnell Ulsch, managing director of Janus Risk Management Inc. in Marlborough, Mass., agrees. "We know the other terrorist shoe will drop, but we don't know who, what or when," he says. There are no simple answers: "You don't just buy some software and install it. We're dealing with a number of issues that are pretty complex—internal and external security, disaster recovery, business continuity, crisis management, privacy and regulatory issues."

One thing is certain: CIOs face serious budget constraints. "After Sept. 11, security has gone from being not such a hot issue to the front burner," says Donald Lee, CIO at Maryland's Department of Assessments and Taxation, in Baltimore. "We have the commitment from the executive level. But in this economy, the state is in cost-reduction mode. Money is really tight."

That's also true in the private sector. "Unfortunately, the financial impact of the terrorist attacks greatly outweighed the fear factor of spending on security," says John Pescatore, a vice president at Gartner Research. "If I'm an airline, and my revenues have disappeared, I have to delay spending—I have to report to Wall Street. The concern is up, the spending is not."

Still, many companies have changed their IT practices to ensure continuity by relocating data centers, or moving to a more distributed data processing or storage architecture. These changes were picked up in our conversations with CIOs and CTOs; everyone we spoke to was aware that after Sept. 11, what matters is location, location, location. In Phoenix, for example, Blue Cross Blue Shield of Arizona has decided to mirror critical data at a center in Tempe, Ariz.—ironically, in the same facility it once used as second data center (which was shut down in a cost-cutting move). "I've seen it go in circles," says Chief Technologist Gerard Farmer. "Years ago, everyone was on centralized mainframes, then everyone decentralized, then centralized again to save money. Now we're decentralizing again for disaster recovery reasons."

In Baltimore, Maryland's tax department surveyed its 24 offices around the state to determine where it could move its 900 employees in an emergency. "Our business continuity plan had been related to equipment and software," CIO Lee says. "But where are you going to house the staff?" The agency is also reconsidering telecommuting, something it had hesitated to use, as part of the solution.

Some companies have discovered that a backup site isn't enough. Ulsch tells of a financial services company in a suburb west of Boston that before Sept. 11 had established a hot backup site 20 miles away, anticipating that employees could reach it in 30 minutes. When bomb threats were made against financial institutions following Sept. 11, however, it took the employees six hours to get there, because every other business around them was evacuating as well.

"A number of companies have analyzed, tested and revised their plans," Ulsch says, "and they found out the plans don't do what they thought they did. There are many consequences when a disaster occurs, but companies will intellectually prepare a plan that covers only one factor."

Our survey revealed that the sense of urgency spiked after Sept. 11 and has since fallen back, something Gartner's Pescatore sees as well. "It looks like the half-life of concern was about six months. In March and April, spending was pretty much back to normal," he says.

CIOs are most worried about internal and external security breaches and cyberterrorism, the survey showed. Are they justified? Some anecdotal evidence from our conversations: Government CIOs tell of sharply higher external hacking into their systems since Sept. 11; based on their origins, many attempts are thought to be from terrorists. Several of Ulsch's large clients report up to a million automated probes of their systems a day.

Are the roughly two-thirds of our respondents who are confident of their business continuity plans for cyberterrorism and system breaches right to feel that way? "Their optimism is a little overplayed," Gartner's Pescatore says. "Our estimate is that the Internet systems of about 65 percent of Fortune 5,000 companies are vulnerable to an attack that at least results in a content change." For example, says Pescatore, several companies have had false press releases planted on their sites. The releases were picked up by newswires, which resulted in their stock dropping 50 percent. Another 25 to 30 percent are vulnerable to an attack that could cause a financially significant event that would have to be reported.

Surprising, too, was this survey result: About one in five respondents still don't have a business continuity plan. "Want to hear something even more ridiculous?" Farmer asks. "I talk to people at conferences who don't have a clue about security. These are technical people, and I'm still amazed when I learn their IT shops don't have firewalls. You can get one for a couple hundred bucks. This isn't rocket science."

Are some organizations still in denial about the terrorist threat? Mitroff thinks so. He surveyed Fortune 1,000 companies before and after Sept. 11, and found that about 85 percent are what he calls "reactive." The farther these companies are geographically from New York City, the less they are preparing for terrorism. "Only when something is close to them will they take action," he says. "A lot of organizations have their heads in the sand." He also found that the larger these reactive companies are, the less they are prepared. "They think, 'We're so big and powerful, nothing can happen to us.' The number one problem we're facing is this overwhelming denial."–Terry A. Kirkpatrick

Research Results

Research Results

The results are available in Adobe Acrobat PDF format. To download the free Adobe Acrobat Reader plug-in, click here.

Conclusion 01

Conclusion 01: Widespread Impact of Sept. 11

While only lower Manhattan and the Pentagon came under direct attack a year ago, the events of last September have had a powerful and widespread impact on U.S. business. Aside from the thousands of victims, two thirds of companies saw their business undergo some sort of disruption. Many companies suffered a considerable financial hit in the form of lost income and increased insurance premiums.

A substantial percentage of companies were directly touched by the events of Sept. 11. Twenty-two percent had customers or business partners at the World Trade Center or the Pentagon, and 11% of larger companies had an office in the vicinity. About a third of all companies said their business continuity was definitely affected. Nearly four in 10 respondents reported a significant financial impact from Sept. 11, and that figure rises to two thirds of respondents if "somewhat affected" is included. Affected companies with more than 1,000 employees lost a median of 10% of annual revenues directly because of the attacks; for smaller companies, the figure is 14%. More than three quarters of all respondents saw their property insurance premiums rise due to Sept. 11, and seven in 10 reported increased costs for casualty insurance.

Conclusion 02

Conclusion 02: Concerns are Heightened

Predictably, companies are more worried about terrorists than they were before Sept. 11. They feel prepared for IT attacks, but not for nuclear terrorism and bioterrorism, risks that are least covered by insurance. The good news is that insurance coverage for such risks as natural disasters and security breaches is fairly comprehensive.

Just one IT executive in five re-ported that other company execs felt an extreme sense of urgency over being prepared for disasters before Sept. 11. That strong sense of urgency spiked immediately after the attacks to nearly three in five, and remains at 46% today.

CIOs worry most about direct threats to IT resources. External breaches and cyberterrorism are the top two concerns, cited by about a quarter of respondents each and followed by internal security breaches, at 15%. Bioterrorism, nuclear terrorism and non-nuclear attacks all generated muted responses, ranging from 11% to 6%.

CIOs are uncertain whether their business continuity plans are up to certain challenges, particularly nuclear terrorism (74%) and bioterrorism (59%). They feel better prepared for cyberterrorism and computer security breaches, though these are still concerns for about a third of respondents.

Insurance is most comprehensive for more common events such as natural disasters and external and internal security breaches (78%, 62% and 60%, respectively). IT assets are even better covered: 69% are covered for loss of IT hardware, and 61% for interruptions of data communications. But CIOs are most concerned that their insurance doesn't cover lost employee productivity, with only 25% believing they're adequately covered for such a loss.

Conclusion 03

Conclusion 03: A Wave of Activity

Most companies have responded to Sept. 11 by rethinking their level of risk, getting IT and business execs involved in continuity planning, and taking steps to ensure business continuity after the Sept. 11 terrorist attacks. For many, these steps include decentralizing their IT architecture, moving their data center, and personnel changes. Still, while a third of businesses didn't have a business continuity plan before Sept. 11, some firms are still running blind, working without a plan to help them prepare for another disaster.

The good news is that about 80% of companies have a business continuity plan; the bad news is that about one in five companies in corporate America still do not have one. Thirty-three percent of those who had such plans before Sept. 11 say they've made or intend to make significant changes to their disaster recovery plans, including better training on security procedures and more frequent backups of corporate data. Companies that have lost more than 10% of revenues due to Sept. 11 are now more likely to back up data more frequently, but that's the only activity more than half of these respondents have stepped up.

IT departments have generally made substantive changes to their infrastructure and policies. Nearly half are likely to have modified their policies for coping with security breaches. Forty-four percent relocated their data centers, and more than half switched to a more distributed data processing architecture, both potentially expensive moves. More than six out of 10 are now using a more distributed storage scheme, which should provide cost-effective redundancy. A backup network was established by nearly two-thirds of those surveyed. Almost half added new IT security personnel. Finally, 79% are working to better ensure that their security procedures are being complied with, a predictable but low-cost step.

About eight in 10 took the basic step of performing new risk analyses after Sept. 11, and 78% are making sure that security procedures are better observed. Greater involvement by IT and business execs in the planning process and new mail-handling steps were all cited by about two-thirds of respondents. Almost half added a new organizational role such as a Chief Security Officer.

Conclusion 04

Conclusion 04: Spotty Spending, High Confidence

Despite the fact that continuity spending has not increased at more than two thirds of companies since Sept. 11, IT executives are confident they can respond to an emergency and keep the business running in the event of a catastrophe. Companies that did increase or decrease continuity spending did so by substantial percentages.

Just 31% of companies increased business continuity budgets, a seemingly low number given the widespread effects of the attacks. However, those that increased their disaster recovery spending did so dramatically, with the median budget for all such respondents rising by 20% between 2001 and 2002. Firms that decreased their spending did so by 25%—probably due to the impact of the recession on these firms.

More than a third of the companies that were most financially affected by the events of Sept. 11 actually decreased their business continuity spending, dropping it by a median of 30%.

CIOs are generally confident about their company's level of preparation. Just 57% thought their company would have been able to keep doing business after an attack a year ago. But more than seven out of 10 feel they are able to do so now, and nearly nine out of 10 believe they will be a year from now.



How the survey was done: CIO Insight designed the rethinking risk survey together with Advantage Business Research Inc. (www. advantageresearch.com), a Lake Success, N.Y.-based supplier of custom research services. CIOs, chief technology officers, and vice presidents of information technology and services gathered from a number of sources, including third-party lists and other Ziff Davis Media publications, were invited to participate in the study by e-mail. The questions were posted on a password-protected Web site, and 337 qualified respondents replied from June 21 to June 28, 2002. All qualified respondents described themselves as knowledgeable or very knowledgeable about their company's disaster recovery, business continuity and security practices.



The results of this survey are more encouraging than the findings from our survey on security, published in the February 2002 issue: We found uneven spending but a pattern of strong responses to the disasters of Sept. 11. Still, we are surprised that 90% of IT executives show such a high degree of confidence that they can maintain operations in event of an attack, given their fears that their business continuity plans could be inadequate in the face of a major terrorist onslaught. While such catastrophes are unlikely, we think CIOs should ask whether they are being too optimistic, and whether they need to better prepare their organizations for surviving major impacts to business continuity. These preparations could include reviewing continuity plans, checking insurance policies and ensuring that their organization doesn't become complacent. Despite the state of the economy, CIOs need to prepare their companies for future threats.

This article was originally published on 09-16-2002